How does Tornado Cash actually work?

When a person uses the Tornado Cash contracts to protect their privacy, they arguably are not even engaged in the kinds of activities that can be sanctioned.

Today Coin Center published a detailed factual explanation of how Tornado Cash works. We worked with several world-class Solidity experts who generously donated their time to look directly at the smart contract code itself and offer an unbiased description of exactly how these contracts function and whether any of them are under the control of a person or entity. The results confirm a level of decentralization that was surprising, even to me.

None of the core contracts that provide privacy tools to users can be upgraded, changed, or altered. The privacy that users get from these contracts is guaranteed with math and software that is as immutable as the Ethereum blockchain itself.

To the extent that any of the OFAC-sanctioned addresses retain a human operator role, they are either mere donation addresses to support software development, ancillary services that never control user tokens, or defunct/never used addresses. Read the explainer, and check out the detailed appendix describing each address if you want more.

Additionally, our explainer describes exactly how Tornado Cash provides privacy for its users. The deposit and withdrawal contracts do not mix or commingle user tokens. Instead, each user puts in specific tokens from an address she controls and receives from the smart contract a specific note which, using zero knowledge proofs, allows that user to withdraw their specific tokens to another address without leaving a public record on-chain that could link the user’s sending and receiving address. While colloquially referred to as a “mixer,” the contract addresses are nothing of the sort. The better analogy is to a room full of safe deposit boxes. From the explainer:

Think of it like a bank’s safe deposit box room. Anyone can go and store valuables in a locked box in that room, and, assuming the locks are good, only the person with the key can ever get those valuables back. Security aside, however, this may or may not be privacy enhancing. If only one person is ever seen going into and out of the room, then we know any valuables in that room are theirs. If, on the other hand, many people frequently go into and out of the room, then we have no way of knowing who controls which valuables in which boxes. By guaranteeing the property that users can only withdraw tokens they originally deposited, many users can simultaneously use these pools with the assurance that no-one else will receive their tokens.

This setup, rather than a mixing of funds, even allows (or allowed) for compliance with AML/CFT laws, and developers created software tools so that users wishing or obligated to comply with laws in their specific jurisdiction could obtain a proof that their funds originated from an identified and non-sanctioned source:

To this end, the developers of Tornado Cash created the Tornado Cash Compliance Tool. Users supply the tool with the original “deposit note” generated during the pool deposit process to create a PDF report that provides proof of the original source of the tokens. Although the public link between a user’s deposit and withdrawal addresses was severed by the Tornado Cash pool contracts, the Compliance Tool allows users to selectively “undo” this severance to provide traceability to third parties.

This research is critical in laying the groundwork for a legal challenge that OFAC’s designation of Tornado Cash’s immutable contracts is inappropriate under the statutory authority granted by Congress in the International Emergency Economic Powers Act (IEEPA). As we explained last week, IEEPA empowers OFAC to sanction “property in which some foreign country or national has an interest” (50 U.S.C. §1702). Does the Tornado Cash listing fit within these powers, or is it statutory overreach? We believe it is clearly overreach.

First, the addresses themselves, and the software that they point to on the Ethereum blockchain, are not “property in which some foreign country or national has an interest.” They are widely distributed tools, ideas fixed in a shared medium of expression (the Ethereum blockchain), copies of which exist on the personal computers of thousands of persons around the world. Additionally, the small minority of contracts listed by OFAC that retain some level of human updateability are not actually used to control, mix, or move user funds. They are either ancillary services, donation addresses for software development efforts, or defunct and now unused contracts on the Ethereum blockchain.

Second, to the extent anyone has property in those addresses, it is because they’ve sought the privacy provided by those software tools. That property is their own and no one else has any meaningful control or ownership rights to that property. Nor is that property mixing or commingling with anyone else’s property. That property is, in effect, in a public room where very strong (indeed unbreakable) safe deposit boxes are available for anyone’s usage. Unless these sanctions are merely narrowly targeted at some specific users of those contracts, the other funds that Americans and other law-abiding persons have in those contracts are not properly the target of sanctions. Those funds, again, are not “property in which some foreign country or national has an interest.”

Third, when a person uses the Tornado Cash contracts to protect their privacy, they arguably are not even engaged in the kinds of activities that IEEPA empowers the President to block. Those activities listed in the statute are: “acquisition, holding, withholding, use, transfer, withdrawal, transportation, importation or exportation of, or dealing in, or exercising any right, power, or privilege with respect to, or transactions involving, any property in which any foreign country or a national thereof has any interest[.]” (Emphasis added.) While interactions with a smart contract are colloquially referred to as Ethereum “transactions,” and while fees are indeed paid to miners to include those “transactions” in blocks, the individual choice to move one’s tokens from a personal address to a Tornado Cash address is no more a “transaction” with another person than moving one’s valuables from a drawer in one’s home to a safe in one’s home. At no point does any third party have any control or power during the movement; only the person to whom the valuables belong retains possession and control. That activity is certainly not similar to the commonly understood meanings of the various activities in IEEPA that the President is empowered to block.

Finally, to the extent that some Tornado Cash users are sanctioned persons, and they have some property at those smart contract addresses, then that property and that property alone is legitimately the target of sanctions. In that case the address of the smart contract itself is not an appropriate alias for that entity or property because, like the name John Smith, it wrongly subjects many more persons to sanctions scrutiny than sanctions laws intend or allow. This would be a problem if there was no way to discriminate between funds in the contract, but, as described above, there is already a compliance tool that allows law-abiding persons to prove that the source of their funds is not a sanctioned person. Given all that, the appropriate addresses to sanction are the addresses from which sanctioned persons are depositing to the Tornado Cash contracts and not the Tornado Cash contracts themselves.

We will continue to keep you updated as we work toward a legal challenge of the OFAC designation. If you are someone who has been injured by the designation, especially if you have funds stuck in a sanctioned smart contract or have been the unwilling recipient of funds from a sanctioned smart contract after the designation, we would like to talk to you. Please get in touch.